Messages

A good high level check to verify your WAN quality is to enable the gateway monitor IP. By default OPNsense has this disabled. This will give you a graph and also log the loss on the gateway link as a percentage. You want to enable this and look at your WAN quality graphs to see if you're getting packet loss. I've included a screenshot showing where to go to enable the gateway monitoring.

Look at the system log (system/log files/general) and search for the name of the WAN interface. This can be igbX or whatever NIC driver you have assigned to the WAN. See if there are any log events showing in the system log that coincide with the WAN connectivity issues.

Those are the two high level places I'd start looking if you are noticing WAN drops or connection problems. If both of those look stable, then the issue is likely some other configuration or plugin.

If you register all dhcp leases, unbound will restart every time the leases change.

While this is indeed the case on the other *sense implementation, I've been using OPNsense for years with registered DHCP and static leases and it does not restart Unbound. Try it and watch your logs, it won't restart.

For the OP, what do your unbound logs say? I'm suspicious if the custom DNS redirect rules, have you truly tried an out of the box configuration without any custom rules?

System > Settings > General
- *UNTICK*  Allow DNS server list to be overridden by DHCP/PPP on WAN 

Services: Unbound DNS: General
- *UNTICK* Flush DNS Cache during reload

My 2c is that if you choose to change out the entire unit, go with something that has a newer CPU. A J6412 or N100 based system.

My own personal system now is an old J3455 that I've had running for the last 6 years. It sips power and maxes at 14w draw. It will do full gigabit up/down but I don't do any kind of IDS/IPS, so that saves a lot of spare CPU cycles.

If I was buying again today, there are much newer CPUs that still fit in that 10/15w range. The J4xxx series is very close to the J3xxx series in terms of per-core performance.

Apologies, both of the dual port cards are infact PCIe cards.
one is a x1 and the other an x4

But lets get back to my original question.

how do i upgrade the underlying FreeBSD from 13.1 to 13.3

The point I was trying to make was mixing PCI and PCIe cards won't yield a desirable amount of throughput. And trying to limp along old chipsets (even the ones you have in PCIe) isn't great either.

Instead of trying to upgrade underlying FreeBSD, can you just boot from the FreeBSD 13.3 DVD ISO and see if all of the NICs are detected? That would save you time of trying to force an upgrade if it may not fix your issue.

Verify that you have at least two PCIe x4 slots (or greater) and then just order two of these: https://www.ebay.com/itm/166706911164.

I would not suggest messing with standard PCI slots. They won't saturate gigabit, especially if you have a dual port card plugged in to a standard 32bit PCI slot.

PCIe has been around since 2005. PCI is positively ancient at this point, don't use it.

Do you know the chipset used for the NIC that is not being detected in OPNsense?

The pciconf output for all of the detected NICs shows they are quite old. I'm assuming this is an OptiPlex 7040 Tower since some of these are PCI based. The I219-LM NIC is the onboard NIC on the Dell mainboard. But the other 3 interfaces (Intel 82546 and Intel 82571) are older, with the 82546 being PCI based.

Rather than waiting for 13.3, I would highly suggest instead just getting newer NICs that are PCIe based. You can find used Intel 4 port server NICs on ebay for $25. Buy two of those and you'd have a way better setup than trying to use a mashup of very old parts and PCI interfaces. And the 7040 Tower should have two x16 slots that will accommodate dual PCIe x4 quad port NICs.

You should be okay. Just make sure you have console access to re-assign the NICs on first bootup. Also you may need to redo vnstat or softflowd interface assignments if you're using those plugins.

For me I'm still seeing the same behavior after upgrading and am unsure if I can apply these patches on the newer 24.1.x series?

Is this the new intended behavior to not match partial searches in the Firewall Sessions or States view?

Thanks for your time and apologies if I'm being a "squeaky wheel" on this. But I really liked that feature and I miss it. :)

For bufferbloat and using FQ Codel, this site was very helpful for me. Not my site but I followed these steps exactly to get the limiters and queue managers setup.

https://maltechx.de/en/2021/03/opnsense-setup-traffic-shaping-and-reduce-bufferbloat/

Lucky! What ONT do you have?

Mine is an older install, I believe its a GFLT110.

Router hardware is a passively cooled J3455 with Dual Intel IGB NICs

Fellow google fiber user here but I'm on the 500/500 service. Also running 24.1.1 and I haven't noticed an increase in bufferbloat issues.

This test was done via a wired 1gb client just now: https://www.waveform.com/tools/bufferbloat?test-id=44cce432-825a-4677-85c6-05f9d5eba2cb

My OPNsense instance does not currently have any limiters or queue management enabled. I have used it in the past, also with good results but found it wasn't needed to get A scores in the tests.

Can you try spoofing a new MAC on the WAN, and save the changes (but don't yet apply them). Then go to Interfaces/Settings and change the DHCP Unique Identifier, just use the options to generate a new random one. Save the changes and shutdown OPNsense. Then unplug/reboot your ISP modem.

Plug the modem or ONT back in and let it come back online. Once the modem or ONT is back online, power OPNsense back up. It will boot with the new WAN MAC and DUID that was generated above. This should get you a new IPV4 and IPV6 address.

I've seen issues where a provider won't issue a new DHCPv6 prefix when the DUID changes but the MAC stays the same. I'm wondering if that's what is occurring here. Doing the above steps always works for me to get DHCPv6 back up and running.

Nice! always fun when a cheap fix does the trick.

I've used those i340 server card pulls for years in various routers. They're quite reliable, I haven't had one fail yet. Hopefully it gives you many years of service.

I agree with what vpx23 mentioned for iperf testing, don't host a server or client session on the router itself. Its job is to route, so have a server sitting on one side of the router and a client sitting on another side and run the tests pushing/pulling traffic through the router.

It's also worth noting any other services that may be configured on OPNsense. Any IPS/IDS services can also slow down throughput. Ideally the tests should be done with a bare minimal install, slowly configure and turn on components to see where the bottleneck is happening. If you're running IDS/IPS usually the CPU will be the limiting factor first.

Another thing worth checking is cable quality and the length of the runs. You mention this is at a farmhouse so are we using any kind of powerline over ethernet components or other oddities? Those can have an impact as well.

At this point we're slapping stuff together. I don't say this in a bad way, I love slapping rigs together and making it work so don't take that as a negative. ;)

I would think you would still have some good support for a horizontal mounted card even without it plugged in to a PCB riser. You'll have the screw clamping the top of the card to the case and most of the cases I've worked with have a small t-slot at the bottom for the end of the expansion card to nest in. Once you have your ethernet cables plugged in, those too will stabilize the slot somewhat. It should be workable. If all else fails, duct tape the end of the expansion card to the inside of the case and it should be serviceable. It won't be pretty but it should work and get you symmetric gigabit throughput.

This is a genuine Intel I340 for not much money, I've used this seller before as they have been good to deal with: https://www.ebay.com/itm/235149064664

If you have a Micro Center near by they also should sell PCIe ribbon extenders and they may be higher quality than the ones you can find on ebay or amazon.

Let us know how you end up.